The main difference between lastlogon and lastLogonTimeStamp is that lastlogon is updated on the Domain Controller after the user interactive logon while lastLogonTimeStamp is replicated to all Domain Controller in AD Forest, the default value is 14 days. The Lastlogon attribute is not replicated.
While working with Active Directory objects, most of the time we have to query to get objects using DateTime.
It’s much confusing to understand the difference between PowerShell lastLogon vs lastLogonTimestamp vs lastLogonDate attributes.
In the Active Directory, objects have lastlogon attributes like lastLogon, lastLogonTimestamp, and lastLogondate.
In this article, I will try to explain the difference between PowerShell lastLogon vs lastLogonTimestamp vs lastLogondate attributes in Active Directory and how to convert get-aduser lastlogon to date.
Let’s understand the last logon attributes in detail with examples using PowerShell.
PowerShell LastLogon
When a user logs on to the computer, the lastLogon attribute is updated in the domain controller.
LastLogon attribute updated in one DC after user interactive logon. It means the lastLogon attribute is not replicated.
LastLogon is very much helpful to identify a stale account or if you want to know which computer user has logged in or not.
When we run the command, it will return the recent logon timestamp of the domain controller where the user interactively logs on.
PowerShell lastLogon returns the most recent logon timestamp of ad user in number format which is not human-readable and requires converting it into date timestamp format.
The following script converts Get-AdUser lastlogon to date.
Get-ADUser -Identity Toms -Properties LastLogon | Select Name, @{Name='LastLogon';Expression={[DateTime]::FromFileTime($_.LastLogon)}}
In the above PowerShell script, the Get-AdUser cmdlet gets user properties specified by the Identity parameter and passes the output to the second command.
@{Name=’LastLogon’;Expression={[DateTime]::FromFileTime($_.LastLogon)}} – convert aduser lastlogon number format to date timestamp.
PowerShell lastLogonTimestamp
PowerShell lastLogonTimestamp attribute replicated to all domain controllers.
To prevent replication traffic every time a user logs on, its value is updated after a certain interval.
Active Directory calculates interval to update PowerShell lastLogonTimestamp value. The default update value is 14 days.
ms-DS-Logon-Time-Sync-Interval attribute defines the lastLogonTimestamp default value. if its value is not set, the default update value is 14 days.
PowerShell lastLogonTimestamp is replicated version of lastLogon.
It returns the last logon timestamp in number format which is not human-readable format and requires converting lastlogontimestamp to date.
PowerShell lastLogonDate
lastLogonDate attribute is a locally calculated value of the lastLogonTimestamp attribute in date format.
It’s very easy to write a date-time query with PowerShell lastLogonDate when we want to query get active directory objects or find active directory objects details using the lastLogonTimestamp attribute.
lastLogon vs lastLogonTimestamp vs lastLogonDate
Let’s understand the lastLogon vs lastLogonTimestamp vs lastLogonDate difference in the active directory with an example.
Let’s consider an example to get active directory user detail using the Get-ADUser cmdlet.
When the user logs on to the computer in the active directory, it stores logon date timestamp information in attributes.
Get-AdUser -Identity johnp -Properties * | Select DisplayName,LastLogon,LastLogonDate,LastLogonTimeStamp
In the above PowerShell script,
Get-ADUser cmdlet returns active directory user properties specified by the Identity parameter and passes the output to the second command.
The second command, Select Name, DistinguishedName, LastLogon, LastLogonTimestamp, and LastLogonDate from active directory user properties, and print it on the console.
Name LastLogon LastLogonDate LastLogonTimeStamp
---- --------- ------------- ------------------
John Paul 132722084016061942 7/29/2021 7:10:42 PM 132720594421239827In the above output, LastLogon and LastLogonTimestamp attribute has non-human readable format output and requires conversion.
To convert lastlogontimestamp to date, use the [DateTime]:: FromFileName in the expression and provide lastlogontimestamp for conversion to date.
To convert lastlogon to date, use the [DateTime]:: FromFileName in the expression and provide lastlogontimestamp for conversion to date.
After applying DateTime format conversion in PowerShell script convert lastlogontimestamp to date.
Get-AdUser -Identity johnp -Properties * | Select DisplayName,@{Name='LastLogon';Expression={[DateTime]::FromFileTime($_.LastLogon)}},LastLogonDate,@{Name='LastLogonTimestamp';Expression={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}
In the above script to convert lastlogontimestamp to date, get-aduser lastlogontimestamp format is number.
Using [DateTime]::FromFileTime($_.lastlogonTimestamp), it converts ad user lastlogontimestamp to datetime.
The output of the above PowerShell script for lastLogon vs lastLogonTimestamp vs lastLogonDate.
In the above image, you can see the difference between lastLogon and lastLogonTimestamp attribute values.
lastLogonTimestamp attribute user logs on value not updated in the domain controller.
Active directory performs calculations to update DateTime to prevent replication traffic.
As discussed above PowerShell LastLogonDate is the locally calculated value of lastLogonTimestamp in date-time format.
Cool Tip: How to get ad user not logged in x days in PowerShell!
Convert lastLogonTimestamp to date in PowerShell
The lastLogonTimestamp attribute of the active directory user stores the last logon timestamp. This timestamp is the number of 100-nanosecond intervals since Jan 1, 1601, UTC.
The lastLogonTimestamp attribute stores the last logon timestamp in System.Int64 data type format.
To convert lastLogonTimestamp to DateTime using PowerShell, use the below steps
- Use the DateTime class and call its FromFileTime method using the scope resolution operator ::
- FromFileTime method takes the active directory user lastLogonTimestamp attribute as an input parameter.
- Expression evaluates the
[DateTime]::FromFileTime($_.LastLogonTimestamp)into a human-readable format and converts LastLogonTimestamp to date in PowerShell.
The Get-AdUser convert LastLogonTimestamp to date example is given below:
Get-AdUser -Identity Toms -Properties * | Select DisplayName,@{Name='LastLogonTimestamp';Expression={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}
The output of the above in PowerShell converts lastlogontimestamp to DateTime in human-readable format for the lastlogontimestamp value of 132975302840000000 is :
DisplayName LastLogonTimestamp
---- ---------------
Tom Smith 5/22/2022 2:24:44 PMCool Tip: How to convert the lastlogontimestamp to date in SQL!
Conclusion
I hope the above article on PowerShell lastLogon vs lastLogonTimestamp vs lastLogonDate attributes and converting lastlogon to date for aduser is helpful to you.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.